about freeradius support
Sergio Yébenes Moreno
sergioyebenes at alumnos.upm.es
Sun Jun 29 19:46:52 CEST 2008
David Wood escribió:
> Hi Sergio,
> In message <48676BB9.1040409 at alumnos.upm.es>, Sergio Yébenes Moreno
> <sergioyebenes at alumnos.upm.es> writes
>> I'm configuring freeradius server with opensc client-side. I'd like
>> to say if freeradius has support for PKCS#11.
>> In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and
>> TLS-Finished. This means that the server has authenticated but
>> freeradius show TLS error because client do not send
>> certificate. I think it's because PKCS#11. I'm not sure, but I really
>> need to know. I'm using
> The server doesn't care where the certificates and private key are
> stored on the client side; the use of PKCS#11 and a smartcard or token
> is irrelevant and the server needs no special support for PKCS#11.
> The only way the use of the smartcard or token could change things is
> if your supplicant needs the entire certificate chain on the smartcard
> or token, and you've only loaded the certificate itself.
> The only reason the server would need PKCS#11 support is if the
> server's certificate were on a smartcard or token. It's an intriguing
> idea, but I have my doubts that a smartcard or token would keep up
> with the demands placed on it.
> As Nicolas said, the debug log on the server side almost certainly
> contains the answer to this - that's where you should be looking.
> Run radiusd -X and attempt to authenticate using wpa_supplicant and
> your token or smartcard. What does the server's debug output say? If
> you can see the server rejecting the authentication attempt, look back
> for the reason. If the server accepts the authentication attempt, the
> problem is elsewhere.
> Best wishes,
"The server doesn't care where the certificates and private key are
stored on the client side; the use of PKCS#11 and a smartcard or token
is irrelevant and the server needs no special support for PKCS#11."
That rules. It's true. I've seen in wpa_supplicant log that can't access
to the private key (fuckin' key_id), but even so, client makes
client_certificate, client_key_exchange, ....and tcpdump shows
RADIUS-Access-Request....I'll ask for this at opensc-project but looks
like you know about you're speaking. Do you know if freeradius can make
they mention ocsp protocol but in eap.conf there are nothing about this!!
More information about the Freeradius-Users